Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
user privilege Privilege Level problem
- Thread starter badenough
- Start date
- Thread starter
- #3
My AAA is as follows. I`m only using the local database on the ASA for my accounts.
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
- Thread starter
- #5
When the user is not a member of any group and logs on they appear to have the correct privilege level. It`s when I add them to the default VPN group-policy that they seem to get privilege level 15 and I don`t know why as there isn`t any setting that should overide the configured users privilege level.
I tried creating another group-policy but it obviously inherits the credentials of the default VPN group-policy and gives me the same result.
I`m lost on this one. Any help appreciated
Badenough,
Do you use the GUI? In there, the last thing I do after I've created and applied a local user is to edit that user's properties. (Configure :: Remote Access VPN :: AAA Setup :: User :: Edit). That is where & when I set their privileges.
You are right that creating a new group-policy starts as the default policy. Once I've saved it, I then modify it and save it again.
Hope this helps.
Kmills
Do you use the GUI? In there, the last thing I do after I've created and applied a local user is to edit that user's properties. (Configure :: Remote Access VPN :: AAA Setup :: User :: Edit). That is where & when I set their privileges.
You are right that creating a new group-policy starts as the default policy. Once I've saved it, I then modify it and save it again.
Hope this helps.
Kmills
Supergrrover
IS-IT--Management
Just tried it through the CLI with v7.2(1) and no problems there. What version are you running?
Brent
Systems Engineer / Consultant
CCNP, CCSP
Brent
Systems Engineer / Consultant
CCNP, CCSP
- Thread starter
- #9
I`m running ASA version 7.2(2). Below is my config.
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy Test internal
group-policy Test attributes
wins-server value 10.5.11.40 10.6.11.26
dns-server value 10.5.12.17 10.5.12.18
vpn-idle-timeout none
default-domain value test.org
address-pools value IT_VPN
username Richie_Richie password BRTkoIGzF8Edg0sy encrypted privilege 3
username Richie_Richie attributes
vpn-group-policy Test
I then log into the firewall and run the sh curpriv command
FW-Test# sh curpriv
Username : Richie_Richie
Current privilege level : 15
Current Mode/s : P_PRIV
I`d love to know where the privilege level 15 comes from as my user is cleary set at privilege level 3. Any help appreciated
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy Test internal
group-policy Test attributes
wins-server value 10.5.11.40 10.6.11.26
dns-server value 10.5.12.17 10.5.12.18
vpn-idle-timeout none
default-domain value test.org
address-pools value IT_VPN
username Richie_Richie password BRTkoIGzF8Edg0sy encrypted privilege 3
username Richie_Richie attributes
vpn-group-policy Test
I then log into the firewall and run the sh curpriv command
FW-Test# sh curpriv
Username : Richie_Richie
Current privilege level : 15
Current Mode/s : P_PRIV
I`d love to know where the privilege level 15 comes from as my user is cleary set at privilege level 3. Any help appreciated
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question